A new cyber threat campaign has been discovered by Cisco Taloswhich goes by the name Sea Turtle. This cyber threat is not only targeting public and private entities but also national security organizations in UAE and North Africa. The actors behind this campaign use DNS hijacking to achieve their objectives.

It has been discovered by cybersecurity experts that Sea Turtle, a malicious campaign, aims at hijacking DNS to steal credentials and other sensitive information.

What is DNS Hijacking?

It is a malicious attack wherein a query to a Domain Name server are redirected to a server owned by malicious agents, rather than the server the request was originally meant for. In many cases, actors hack websites and change the DNS addresses so that the visitors end up visiting a completely different online destination.

Let’s take a look:

According to cyber security experts, Sea Turtle has affected 40 different national security organizations in the Middle East and North Africa. The geographic locations of sea turtle victims show countries like Turkey, Armenia, Syria, Iraq, Jordan, UAE, Egypt, Libya, Lebanon, Cyprus, Albania as primary targets. On 24th of January, 2019 The Department of Homeland Security issued an alert about this activity warning about the attackers’ intentions.

Who is most affected by this?

Sea Turtle most targets the third-party entities such as DNS registrars, telecommunication companies, and internet service providers in the US and Sweden. Their primary victims are usually national security organizations, ministries of foreign affairs, and energy organizations from the Middle East and North Africa.

By now you may be wondering how does the attacker work?

Let me explain:

1. The attacker gets initial access to the entity.

2. Next, the attacker moves through the network and gets access to the credentials.

3. The attacker exfiltrates material from the network.

4. Then through the compromised credentials, the attacker gets access to the DNS registry.

5. Later the attacker issues an UPDATE command to use the actor-controlled name server.

6. So, when the victim sends a DNS request to a target domain it receives a response from the actor- controlled server.

7. Next, the actor-controlled server sends a falsified record pointed by the MitM (Man- in -the -Middle) server.

8. The victim unknowingly enters his credentials in the MitM server.

9. Next, the attacker harvests the victim’s credentials from the MitM server.

10. And then the attacker passes the victims credentials to the legitimate server.

11. And finally, the attacker gains authentication that of as the victim.

The truth is:

That Sea Turtle campaigns have been operating over two years now and these cyber-attacks are continuing despite clear documentation of this methodology by cyber-security experts.
This clearly highlights the need for security focussed organizations to have a robust safety net which safeguards against the Sea Turtle like attacks.

Buzinessware is well equipped to tackle such threats and provide security to its customers data from such attackers. To learn more about our cybersecurity plans CONTACT US NOW!